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Abstract 

Jj^P We revisit the problem of real-time verification with dense time dynamics using timeout and 

calendar based models, originally proposed by Dutertre and Sorea, and simplify this to a finite state 
verification problem. To overcome the complexity of verification of real-time systems with dense time 
QQ dynamics, Dutertre and Sorea, proposed timeout and calender based transition systems to model 

the behavior of real-time systems and verified safety properties using fc-induction in association 
with bounded model checking. In this work, we introduce a specification formalism for these models 
\^ in terms of Timed Transition Diagrams and capture their behavior in terms of semantics of Timed 

l_J Transition Systems. Further, we discuss a technique, which reduces the problem of verification 

_^ of qualitative temporal properties on infinite state space of (a large fragment of) these timeout and 

^ calender based transition systems into that on clockless finite state models through a two-step process 

comprising of digitization and canonical finitary reduction. This technique enables us to verify safety 
invariants for real-time systems using finite state model-checking avoiding the complexity of infinite 
state (bounded) model checking and scale up models without applying techniques from induction 

> based proof methodology. Moreover, we can verify liveness properties for real-time systems, which 

I is not possible by using induction with infinite state model checkers. We present examples of Fischer's 

Protocol, Train-Gate Controller, and TTA start-up algorithm to illustrate how such an approach can 
-— I be efficiently used for verifying safety, liveness, and timeliness properties specified in LTL using 

^ finite state model checkers like SAL-smc and Spin. We also demonstrate how advanced modeling 

concepts like inter-process scheduling, priorities, interrupts, urgent and committed location can be 
specified as extensions of the proposed specification formalism, that can be subjected to the proposed 
_h two step reduction technique for verification purposes. 

Keywords: Real-Time Systems; Timeout and Calendar Model; Clockless Model; Finite State Verifi- 
cation 
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1 Introduction 

Real-time systems are an important class of mission critical systems, which have been well studied 
for their design, implementation, performance and verification. Modeling and verification of real-time 
systems in dense time domain is an important problem area that evoked lot of research interest in the 
recent past. Because of the fact that the state space of real-time systems with continuous dynamics is 
uncountable, modeling and verification of them is rather difficult, in particular using explicit state model 
checkers. Many formalisms have been used to model and verify real-time systems. Notable among them 
are different kinds of timed transition models Alu99, HMP92b|, timed process algebras Be J9"T| lDaH95l 
INiS94j , and real-time logics |A1H9U IBMNOOj . 

In |DuS04aj . Dutertre and Sorea, considered verification of a train-gate controller modeled as a 
timed automata. Though they could specify the timed automata model in terms of state transition 
system in infinite state model checker SAL iMOR04j . it however did not to produce the desired results. 
In particular, the clock variables occurring in timed automata would be updated in arbitrarily small 
increments leading to infinite trajectories during which the discrete state remained idle. This made 
proof of safety properties by /c-induction quite hard, and sometimes impossible. The fact that the 
traditional semantics of timed automata allows several time steps to occur in succession is an obstacle 
in proving properties by fc-induction. 

To address this problem the same authors proposed timeout and calender based transition mod- 
els, |DuS04a[ [DuS04b , originally from discrete event simulation, to represent the behavior of timed 
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triggered systems with dense time dynamics. These models are amenable to general-purpose verification 
environments, like SAL in which state machines and their compositions can be specified. In this modeling 
approach, each process in the system has a timeout that holds the time when the next discrete transition 
of the process would happen, and there is a global data structure, called calendar, which stores future 
events (message delivery) and the time points at which these events are scheduled to occur. During the 
time progress transition, time is advanced to the minimum of timeouts of processes, or to the least time 
point at which a message will be delivered in future, whichever is less. Further, Dutertre and Sorea, used 
this calendar based model along with timeouts for individual processes to model TTA startup protocol in 
SAL |DuS04b] . Using bounded model checking, they proved a safety property by k induction. However, 
these proofs using induction do not usually scale up well; a safety property often cannot be proved 
at induction depth 1. Sometimes safety properties are not at all inductive and need the support of 
auxiliary lemmas. In DiiSO lb , a safety property for the TTA startup algorithm with only 2 nodes has 
been proved by using 3 additional lemmas. A verification diagram based abstraction method proposed 
in |Rus00j has been used to prove the same safety (invariant) property for scaled up models (upto 10 
nodes). However, liveness properties still remain beyond the scope of this approach. 

While only safety properties can be verified on these models with dense time, discrete time mod- 
eling of the same can help verify liveness and timeliness properties, and also help scale up proofs 
for safety properties. It turns out that verification of a real-time system in dense domain is equivalent 
to verifying the system in discrete domain if both the behavior of the system captured by the model 
and the properties considered are digitizablc [HMP92a . It can be shown that if the timeout updates 
are not restricted to (0, l)-intervals, then similar to the timed transition system of [HMP92a] (refer to 
theorem 2 therein) , transition systems for timeout and calendar based models also give rise to digitizable 
behaviors (computations). Also verification of qualitative properties like safety and liveness, in dis- 
crete time domain is equivalent to verifying these properties in dense time domain (refer to proposition 
1 in [HMP92a| L 

Techniques like bounded model checking MRS03, DuS04a can be useful for detecting bugs during 
the verification process even in discrete domain, where one systematically searches for counterexamples of 
length bounded by some integer k. The bound k is increased until a bug is found, or some pre-computed 
completeness threshold is reached. Unfortunately, it is usually very expensive to compute completeness 
thresholds. Also these thresholds may be too large to effectively explore the bounded search space. 
Additionally, such completeness thresholds may be absent for many infinite-state systems. A finite state 
modeling of the system can help exploring the state space much easily. Examples of finite state model 
checkers are Spin (Hol93j . SAL-smc solvers |DuS04a| etc. Spin has been used to finitely model TTA 
startup algorithm using a clockless calendar based model [SMR07 . In terms of scalability, finite state 
verification of TTA in Spin is almost comparable to the verification of TTA based on verification diagram 
oriented abstraction method [DuS04b . Moreover, liveness properties can be verified in this framework. 

In this work, we aim to carry out a finite state modeling and verification on timeout and calendar 
models without continuously varying clocks. As there are drawbacks of those models earlier proposed 
from the point of view of design considerations, like absence of formally defined syntactic models and 
associated semantics, we slightly deviate from them. We consider the specification framework of timed 
transition diagrams and extend it to formalize timeout and calendar based models as timeout and calendar 
based transition diagrams and their behavior in terms of semantics of transition systems. The benefits 
that we derive from using this formalization are many-fold. Our framework of timeout transition diagrams 
inherits most of the properties of classical timed transition system introduced in [HMP92b . Most of 
the techniques, like digitization that can be applied to these timed transition systems are applicable to 
our formalization also. This can be also used to model time-triggered systems and reason about them. 
Finally we use this formal modeling framework to reduce continuous time verification problem to discrete 
time finite state verification, albeit under some restrictions. Towards that, we use a two step technique 
comprising of digitization and finitary reduction (a schematic diagram of this technique is shown in 
Figure [lj. We show that the computations of timeout and calendar models are digitizable provided the 
timeout increments are not restricted to (0, l)-interval. As LTL properties are qualitative and hence, are 
digitizable, verification of LTL properties on timeout and calendar models in dense time is equivalent to 
that in discrete time. The next step is to reduce this problem into an equivalent finite state verification 
problem. We could not directly proceed to extract finite state models from dense time models, since 
the latter models are inherently infinite (and dense) and hence it is not possible to render them finite 
even by bounding the variables. Also note that such a modeling cannot be directly subjected to finite 
state verification since for timeout and calendar based models, global time and timeouts always increase. 
Nonetheless, we propose a finitary reduction technique which effectively reduces the infinite state timeout 
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Dense-time verification of timeout 
and calendar-based models for 
qualitative properties. 





Digitization 



Discrete-time verification of timeout 
and calendar-based models for 
qualitative properties. 



Finitary Reduction 



Finite-state modeling of timeout 
and calendar-based models and 
verification of qualitative properties. 



Figure 1: A two-step verification process 



and calendar based transition systems with discrete dynamics into a finite state transition system. We 
achieve this by using a clockless modeling technique which effectively strips the model of the global clock 
and keeps track of the relative updation of timeouts, and restricts the values of variables/timeout updates 
to bounded domains. We demonstrate by examples, how such a modeling approach can be efficiently 
used for verifying safety, liveness, and timeliness properties using finite state model checkers, SAL-smc 
and Spin. We also highlight the scalability of such models for verification purposes by comparing the 
performance of such models under dense time and finite state modeling. A preliminary version of this 
paper appeared in SMR07 . 

The remainder of the paper is organized as follows. In the next section, we briefly discuss the 
timeout and calendar based modeling as presented in |DuS04al IDuS04b| . In Section |3j we present the 
formalization of these models in terms of timeout transition diagrams and their behavior in terms of 
the semantics of transition systems. We discuss the technique of digitization in Section [5] and present 
our first step of reduction of dense-time verification problem to integral time verification problem. In 
Section[6j we describe the finitary reduction technique and subsequently, formalize it in terms of clockless 
modeling. We present experimental results in Section [7J A few extensions of our framework are described 
in Section [8] followed by concluding remarks in Section [9] 

1.1 Related Work 

There have been earlier attempts to model and verify time-triggered systems using extensions of finite 
state model checkers, e.g., Spin. Spin Hol93j is a tool for automatically model checking distributed 
systems, but it does not allow explicit representation for time. There are mainly two attempts for 
extending Spin with time. Real-time extension of Spin (RT-Spin [TrC96j) is one such attempt, that 
makes use of timed Buchi automata [A1D.94] with real-valued clocks as a modeling framework. However, 
this formalism is incompatible with the partial order reduction which is supported by Spin. Another is the 
work on DT-Spin BoD98a, BoD 98b] , which allows one to quantify (discrete) time elapsed between events, 
by specifying the time slice in which they occur. DT-Spin is compatible with the partial order reduction 
and has been used to verify industrial protocols, like, AFDX Frame management protocol [SaR06a 
and TTCAN SaR06b . Nonetheless, systems with asynchronous communication with bounded delays 
between components cannot be modeled directly by using the kind of asynchronous channels that Spin 
provides, since there is no explicit provision to capture message transmission delays. A possible way is 
to model each channel as a separate process with delay as a state variable. In |BoD98a] . the channels in 
the example of PAR protocol have been implemented in the same way. But for systems with relatively 
large number of components and high degree of connectivity among them, modeling channels in this way 
is difficult, and hence state space explosion becomes an unavoidable problem. 

The concept of clockless modeling has been introduced in |Pik05j . In that Pike builds on the work 



4 



of |DuS04aj and proposes a new formalism called Synchronizing Timeout Automata (STA) to reduce 
the induction depth k required for /c-induction. He introduces a clockless semantics for STA so that 
the resulting transition system does not involve a clock. STA in effect, describes the overall system 
architecture in terms of timeout transition system introduced in [DuS04aJ. A closer analysis of the SAL 
model for the example of Train-Gate Controller presented in |Pik05| . reveals that the considered model 
is not deadlock free. This is because the model fails to specify the timeout updation rules precisely for 
the transitions leading to a waiting state. When a process is waiting for an external signal, its timeout 
should be set to a value greater than the current value of the timeouts of the senders of the expected 
signal. This kind of modeling errors could possibly be eliminated with a suitable modeling framework 
such as the one proposed in this paper. 

To our knowledge, the first attempt to convert TA to untimed TA is taken up in [ATD94 . Building 
upon these, in |ChH04| the authors discuss how a special kind of model for specifications written in 
Duration Calculus (DC) [CHR91] can be generated in which, DC formulas would correspond to regular 
expressions over a state of special symbols. The models for DC formulas contain discrete states and 
digitization of continuous states, thereby enabling reasoning in a single framework of both discrete and 
continuous time. Applying discretization on the continuous component of real-time systems, these models 
could be further translated into Promela models for verification experiments using SPIN. 

2 Timeout and Calendar-based Real-Time Models 

In this section we briefly discuss the timed automata |A1D94| . timeout, and calendar-based models 
introduced earlier in |DuS04b| . 

2.1 Timed Automata 

Timed automata (TA) was introduced by Alur et al. in [A1D94 as a clock based model for specifying 
real-time system designs. TA is widely used for modeling and verification of real-time systems. Many 
tools are available for analyzing timed automata e.g., UPPAL [IBDL04], Kronos |Bozga| , Rabbit [BLN03J. 
For further details on TA, the reader is referred to |A1D94] . 

2.2 Timeout Transition Model 

Dutcrtre and Sorea |DuS04al !DuS04bj used timeout based modeling to formally verify real-time systems 
using fc— induction in SAL model checker. A Timeout Transition Model (TTM), which is a model of 
the combined system behavior, contains a finite set of timeouts and a global clock variable t. Timeouts 
define the time points when discrete transitions will be enabled in the future. The clock variable t keeps 
track of the current time. In practice a typical real-time system may contain a number of processes. 
Every process is associated with one timeout which records the future point of time when the next 
discrete transition for the process is scheduled to occur. Transitions in this model are classified into two 
types: time progress transitions and discrete transitions. In time progress transition, t (time) advances 
to the minimum valued timeout(s). Discrete transition occurs when t is equal to the minimum valued 
timeout (s). If there are more than one processes, which have their timeouts equal to the minimum value, 
one of them is randomly chosen and corresponding discrete transition occurs updating the value of the 
timeout for the selected process. Timeout based modeling approach is suited to model systems where the 
processes communicate via shared variables or the communication between the processes is a rendezvous 
one. 

2.3 Calendar Transition Model 

Interprocess communication delay during message transfers cannot be modeled using timeout based 
modeling because delays are beyond the control of individual processes. Addition of an event calendar, 
a globally shared data structure, is proposed as a convenient way to model such delays |DuS04b| . This 
model is called Calendar Transition Model (CTM). A calendar is a set of bounded size of the form 
C = {(ei,ti), . . . , (e r ,t r )}, where each event is associated with the time point U when it is scheduled 
to occur. There is fundamental difference between a clock and a calendar in the sense that while the 
former measures the time elapse since its last reset, the latter stores expected delivery delays for all 
undelivered messages. Asynchronous communication with bounded delay can be easily modeled by 
using calendar as a global data structure. When a message is transmitted by a process, it is added to the 
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calendar as an event ej to occur at time where U denotes the expected delivery time for the message. 
On receiving the message, the event is removed from the calendar. Thus at any state, the calendar C can 
be seen as a set of messages that have been sent but are yet to be received with corresponding expected 
delivery delays. 

2.4 Limitation of Existing Formalisms 

Timed automata is one of the most frequently used formalism for specifying real-time system designs. 
However as it turns out that for systems with asynchronous communication with bounded delays between 
components TA does not offer any efficient means of specification. Two possible choices have been 
considered in literature. First choice is to use state variables for encoding the behavior of asynchronous 
channels however without any explicit provision to capture message transmission delays. Second choice 
is to model each channel as a separate TA with delay as a state variable. However with relatively large 
number of components and high degree of connectivity among them, modeling channels in this way is 
difficult, and state space explosion becomes an unavoidable problem. UPPAAL IBDL04I . which can 
model TA, has the same problem when it is used to model asynchronous communications with bounded 
delays - every channel has to be modeled as a separate TA capturing the message transmission delays. 

On the other hand, although TTM and CTM are expressive enough to capture a range of behaviors 
associated with time triggered systems including asynchronous communication delays, they however have 
two specific design limitations: 

• These models are not well suited for actual system design purpose since they describe the behavior 
of the combined system without (explicitly) specifying the design of the modular components. 

• Absence of formally defined syntactic design models corresponding to these transitions systems 
would demand that additional correctness measures are put in place because for verification pur- 
poses actual designs models need to be (manually) interpreted and translated into these transition 
systems as per the underlying system dynamics and on discovering an error during verification, 
such errors need to comprehended by a designer, and subsequently, translated back into his design 
for a remedial action. 

Keeping in view of such limitations in the existing specification formalisms, we will next define and 
elaborate using examples a new timeout based formalism, which can effectively overcome these barriers. 

3 Formalization of Timeout and Calendar based Models 

In |HMP92b] an abstract model of timed transition system was proposed which could represent a wide 
variety of behaviors of the timed execution of concurrent processes. In this section we adapt and extend 
the Timed Transition System (TTS) described therein to represent timeout and calendar based models. 
Further we describe their associated semantics in terms of state transition systems. 

3.1 Timeout based Timed Transition Model 
3.1.1 Syntax 

A Timeout based Model (ToM) is represented as 

P: {9}[P 1 \\P 2 \\...\\P n ]. 

Each process Pi is a sequential non-deterministic process having Tj as its local timeout and Xi as a set of 
local timing variables. Local timing variables are used for determining the relative delay between events. 
A shared variable {t} represents the global clock. The operator "||" denotes parallel composition. The 
formula 6, called the data pre-condition of P, restricts the initial values of variables in 

U = {t}UT UXU Var, 

where the set of all timeouts is T — {r%, r 2 , . . . , r n }, and X — |J i X^ The set Var = (G U L1UL2U. . .UL n ) 
is the set of other state variables. The variables in G are globally shared among all the processes while 
Li contains variables local to process Pi. Let f Var be the set of computable functions on Var. 

Each process Pi is represented using a timeout transition diagram (TTD), which is a finite directed 
graph with a set of nodes Loci — {Zq, l\, . . . , l l m .}, called locations. The entry location is Iq. There are two 
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kinds of edges in the graph of a process Pi : Timeout edges and Synchronous Communication edges. Edge 
definitions involve an enabling condition or guard p, which is a boolean-valued function or a predicate. 

Timeout Edges: A timeout edge Qj,p => (t* := update $ , 7, /) ,l k ) in the graph of the process Pj is 
represented as 

ji P =^{T i : =upd ate i ,'y,f) j 
l j > l ki 

where updatei specifies the way timeout is to be updated on taking a transition on the edge when the 
guard p evaluates to true. 7 C Xi specifies the local timing variables which capture value of the clock t 
while taking transition on the edge. This value may be used during future transitions while estimating 
relative delay w.r.t. this transition. / G f Var manipulates the state variables in G U 
updatei is defined using the rule: 

updatei = &i I k-i \ 00 | ma,x(M) 

where I + z -< k\ ~<! m + z' for -<, -<'e {<, <} and k 2 >- I + z for {>, >}; z, z' := t\w and I, m E N arc 
non negative integer constants specifying the lower and upper limits for a timeout increment intervaQ 
and w £ Xi is a local timing variable. The variable z makes such an interval relative to the occurrence 
of specific events. M is the set of all the integer constants that are used to define the upper limit of 
different timeouts for different processes in the system. max(Ai) returns the maximum of all the integers 
in M. 

Constraints on k\ , ki specify how new value of timeout Tj should be determined based upon the 
current value of the clock t and/or w, which would have captured the value of t in some earlier tran- 
sition. Setting a timeout to 00 tends to capture the requirement of indefinite waiting for an external 
signal/event. The selection of the timeout value using max(A'l) is used to capture the situation where 
the next discrete transition of a process may happen at any time in the future, for example, the process 
may be in a sleeping mode and can wake up at any future point of time. 

Synchronous Communication Edges: Rendezvous communication between a pair of processes (P s ,P r ) 
is represented by having an edge pair (e s , e r ) s.t. e s € P s and e r G P r and 

s p ^(chlm,T s :=update s ,~f,g) „ 
e s : lj > l k 

ir True ^{ch?rh,Ti:—update r , r y f ,h) r 
e r \ lj > l k 

where ch is the channel name, m G L,; is the message sent, and m € L r the message received, and 
g, h G f Var are the computable functions. 

3.1.2 Semantics 



With a given ToM 

P: {6}[P 1 \\P 2 \\...\\P n ] 

we associate the following transition system Sp — (V, £,£rj,r), referred to as timeout based clocked 
transition system (TCTS) where, 

1. V = hi U {tt\, . . . , 7r„}. Each control variable 7^ ranges over the set Loci U {J-}. The value of 7^ 
indicates the location of the control for the process Pi and it is _L (undefined) before the start of 
the process. 

2. S is the set of states. Every state a £ £ is an interpretation of V, that is, it assigns values to clock 
variable t, every timeout variable in T, timing variables in X, state variables in Var, and control 
variables ttj., . . . , n n , in their respective domains. For x £ V, let o~(x) denote its value in state a. 

3. £0 Q £ is the set of initial states such that for every ao £ £0, is true in <ro and o~a{~Ki) =_L for 
each process Pi. 

4. r = T e U T + U Tq U T syn _ comm is the set of transitions. Every transition v £ T is a binary relation 
on £ defined further as follows: 

1 This interval mimics the delay interval marking an edge in the original timed transition diagrams 
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Entry Transitions: T e , the set of entry transitions contains an entry transition v\ for every process Pi. 
In particular, Vctq € Sq, 



1. VieM : tr'(ar) = cr (a;) 
i/* = (<7oX) eT e ^{ 2. Vr G T : </(*) < a'(r) 
3. co( 7r i) = -L an d a'(-Ki) - 



P 



Time Progress Transition: The first kind of edges i> + e T + are those where the global clock is increased 
to the minimum of all timeouts. In particular, 



v + = (a, a') er + ^>< 



1. a(t) < min{cr(r)} 

2. Vr e T : o-'(t) = ct(t) 

3. yxeX : cr'(x) = a(x) 

4. V« : a'{-Ki) = a(TTi) 

5. a'{t) = min{cr(T)} 



Timeout Increment Transition: For the second kind of edges e T the global clock equals the minimum 
of timeouts. Also if an edge in the TTD for process Pj connects source location l % - to target location l l k 
and is labeled by the instruction p => (n := updatei, -j, /), then 



v\ = (a, a') er «< 



1. 
2. 
3. 



4. 



5. 



6. 



p holds in a 
a'(t)=a(t) 
If a{n)=a(t) 

then<7'(Tj) = updatei > a(Ti) 
else u'{Ti) = cr(rj) 
Vx e 7 : cr'(a;) = <r(i) and 
Vx S \ 7 : cr'(x) = er(x) 
VueGUL,: <t» = and 
Vw e Far \ (G U Lj) : a'(v) = a{v) 
a(-Ki) = lj and cr'(7r,) = l\ 



If updatei = fci s.t. Z + z -<! k\ -< m + z' , then updatei arbitrarily selects a value <5 such that 
[Z + (j(z) -< <5 -< m + cr(z')] A [S > cr(rj)] and returns (5. If updatei = k 2 s.t. fc 2 >- Z + z, then updatei 
arbitrarily selects a value 5 such that [S >~ I + <r(z)} A [S > crfY^)] and returns <5. If updatei — oo, updatei 
returns the largest possible constant defined as per the design of the system. If updatei = max(M), 
updatei nondcterministically selects any integer 5 in [0, M + 1], where M is the maximum of all the 
integers in M returned by max(Al). The local timing variables in 7 C X { for process Pi are assigned 
the current value of global clock on timeout increment transition, while the other local timing variables 
in the system retain their old values before this transition. The variables in 7 are thus used to capture 
the delay between two events. 



Synchronous Communication: For a pair of processes P s ,P r having synchronous communication edges 
(e s ,e r ) as defined before, vl r yn comm e T syn comm exists such that: 

1. p holds in a 

2. cr'(i) = a{t) 

3. (t'(t s ) — update s > °~( T s) an d 
o"'(r r ) = update r > a(r r ) 

4. Vx e (7 U 7') : a'{x) = a(t) and 
Vx e #\ (7U7') : cr'(:r) = o-(x) 

5. cr'(m) = er(m) 

6. V^GUL s :<T»=j((j(f))) 
Vw £ G U L r : <7>) = /i(tr(w)) 
V-y e Far \(GUI S U L r ) : cr'(w) = a(v) 

7. a(ir s ) = lj,a(-K r )— ZJ and 
a'{-K s ) = lla'{-n r )= 11 

This semantic model defines the set of possible computations of the ToM P as a (possibly infinite) set 
of state sequences £ : cro - > fi ■ ■ ■, which starts with some initial state 00 in So and follows with 
consecutive edges in T, i.e., Vz.(<7j, <7j+i) € T. Let [Sp] be the set of all these computations of a ToM P 
as defined by its TCTS S P . 



h 'syn-comm — ( Cr ' 17 ) ^ ^ syn-comm ^ 



8 



3.2 Calendar Based Timed Transition Model 



3.2.1 Syntax 

Next we capture bounded message transfer delay associated with an asynchronous communication. To- 
wards that the ToM is extended with a calendar data structure. A calendar is a linear list of bounded 
size, where each element of the list contains the following information: message, senderJd, receiverJd, 
and expected_delivery_time. Assuming C to denote the calendar array, a globally shared object, we set 

U = {t} U T U X U Var U C 

Sending a message in a TTD of process Pj is represented using the following edge: 

where Q C R x A, R C {1, 2, . . . n} is the index set for the processes and A is the set of expected message 
delays. send(. . .) specifies that a message m is to be sent to each of the processes P r with expected 
delivery time of A r where (r, A r ) € fi. On taking a transition on this edge an entry { m, i, r, A r } is added 
to C for each (r, A r ) G fi. 

Receiving of the corresponding message is represented in the TTD for each of the processes P r , V r e R 
using the following edge: 

ir True=>{receive(7n,i,r),T r :=update r , r y,g) ]r 
<-j " > 'fc> 

where receive (. . .) specifies that a message m sent by process Pi is to be received by the process P r . On 
taking a transition on this edge, the entry {m, i, r, A r } is deleted from C. 

3.2.2 Semantics 

Given a calendar C, we assume that the set of delays for all undelivered messages at any state a can be 
found using the function 

A : a(C) -> 2 N 

Again T = T e U T + U T U T syn _ comm U T asyn _ comm is the set of transitions in the calendar based clocked 
transition system (CCTS). Both T e (set of Entry Transition) and T syn _ comm (Synchronous Communica- 
tion) are same as in TCTS defined earlier. The definitions for the edges in Time Progress Transition 
(r + ) and those for Timeout Increment Transition (r ) are modified using calendar C as follows: 

Time Progress Transition: The first kind of edges v + arc those where the global clock is increased to 
the minimum of all the timeouts and message delays. In particular, 

1. a{t) < min{cr(T) U A(ct(C))} 

2. Vt e T : <t'(t) = <t(t) 

3. Vz e XU Var : a'(x) = a(x) 

4. Vi : <x'(7Ti) = cr(7Ti) 

5. a'{t) = min{cr(T) U A(a(C))} 

Timeout Increment Transition: For the second kind of edges v\ where global clock equals the minimum 
of all the timeouts and message delays, we have: if an edge in the TTD of process Pi connects source 
location l l - to target location l\ and is labeled by the instruction p => (r, := update i} j, /) , then 

p holds in a 
a'(t) = a(t) 

If [<r(t) = min{a(T)}] A [a(n) = a(t)} 

thener'(Ti) = updatet > cr(ri) 
else a' (n) = o-(n) 
\/x e 7 : o'{x) = a(t) and 
\fx e X \ 7 : cr'(a;) = a(x) 
VdgGUI,: cr'(w) = /(cr(w)) and 
Vw e Var \(GU U) : a'(v) = a(v) 
a(wi) = lj and = l\ 



v + = (a, a') er + ^< 



v\ = (cr, a') 6r «< 
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We additionally define new transitions corresponding to sendQ and receive() to capture asynchronous 
communication: 



Send Transition: If there is an edge in process Pi, which connects source location lj to target location l\ 
and is labeled by the instruction p => (send(m, i, f2), Tj := updatei,^, f), then we have the corresponding 



edge V sen( i G r asyn_comm 



, which adds |0| cells to the calendar array C: 



"lend = fa P') ^ 



p holds in a 
a'(t)=a(t) 

a'(Ti) = updatei > cr(Tj) 

\/x e 7 : cr'(x) = a(t) and 

\fx G X \ 7 : a'(x) = a(x) 

Vw G GULi : <r'{v) = f (a(v)) and 

Vw G Var \ (G U U) : a'{v) = a(v) 

V(r,A r ) G n : o-'(C) :=cr(C)U{m, i, 

cr(7Tj) = l l j and o-'(7Ti) = ^ 



K} 



Receive Transition: If there is an edge in process P r , which connects source location lj to target location 
l r k and is labeled by the instruction True => (receive(m,i,r),T r := update r , 7 , g) , then we have the 
corresponding edge v r receive G r asy „_ comm , which deletes the entry {m, i,r, \ r } from the calendar array 
C when the clock t reaches A r : 



= (a, a') ^ < 



6. 
7. 



3{m,i,r, X r } G cr(C) s.t. cr(t) = A r 
<r'(i) = a(i) 

cr'(r r ) = update r > <r(T r ) 

Mx G 7 : cr'(a;) = and 

Vs £ A 1 \ 7 : c'(a;) = a(x) 

Vw G G U L r : o'{v) = g(a(v)) and 

Vw G Var \ (G U L r ) : a'(v) = a(v) 

cr'(C) := <t(C) \ {m, i, r, X r } 

a(ir r ) = E and a' (7r r ) = ?I 



Similar to the case of TCTS, this semantic model also defines the set of possible computations of the 
calendar based ToM as a (possibly infinite) set of state sequences starting with some initial state in S 
and following consecutive edges in T. Let [Sp] be the set of all these computations of a calendar based 
ToM P as defined by its CCTS S P . 



Models for Time: It remained unspecified as to what would be the underlying model of time for 
clock, timeouts etc that appear in the definitions of TCTS and CCTS. There are two natural choices for 
time, the set of non-negative integers N (discrete time) or the set of non-negative reals R (dense time). 
Given the model of time as TIME, let \Sp\time be the set of all the computations of a ToM (or calendar 
based ToM) P as defined by its TCTS (or CCTS) S P . 

When we consider that the underlying model of time as K, we need to add the following non-zenoness 
condition to ensure effective time progress in the model. There must not be infinitely many time progress 
(or timeout increment) transitions effective within a finite interval. Formally, 



nonzenoness: 

V£ : cr -> a x -> . . . G [S P ] m .\/S G R3i > O.a^t) > S 



3.3 Parametric Processes 

We consider the case of finite family of processes specified in a parametric way. A completely parametric 
process family would be specified as 

{0}[{pm=i} 

where N > 1 is some finite positive integer and 9 = Q\ A . . . A 9m such that 6i (1 < i < N) initializes the 
variables for the i th copy of the process. Process P(i) could be a TTD or a calender based TTD. 

The semantic interpretation of such parametrically specified process family is given by first flattening 
the specification as 

{9}[P(1)\\...\\P(N)} 
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(lock ^OAr, = t) 




in-Critical := injcritical + 1} 
Figure 2: TTD for the i th process in the Fischer's Protocol 

and then applying the semantics presented before as per the case of P(i) being a TTD or a calendar 
based TTD. 

Such parametric specification can be generalized to a homogeneous set of process families as 

{o}[{p(hm=i i \\--A\{pmz=i 1 } 

where Ni, . . . Ni are some finite positive integers and 8 = 9i A . . . A 6\ such that 9{ = 0n A . . . A 9^ 
initializes the variables for the i th process family. The term homogeneous arises because processes in all 
the process families should uniformly be either TTDs or calender based TTDs. We do not consider the 
case of hetrogeneous set of process families, where processes across different process families might be 
different. Similar to the case of a single parametric process family, the generalized process family can be 
interpreted by flattening the process specification. 

4 Examples 

Following two examples would illustrate the expressiveness and effectiveness of the proposed timeout and 
calendar based modeling framework. 

4.1 Fisher's Mutual Exclusion Protocol 

Fischer's protocol is a well studied protocol to ensure mutual exclusion among real time concurrent 
processes. Let there be n processes P\,...,P n trying to access shared resources in a real-time fashion to 
be discussed later. A process Pi is initially idle (Sleeping state), but at any time, may begin executing 
the protocol provided the value of a global variable lock is and then move to Wait state. There it can 
wait up to maximum of d\ time units before assigning the value i to lock and moving to Trying state. 
It may enter the Critical section after a delay of at least of d 2 time units provided the value of lock is 
still i. Otherwise it has to move to Sleeping state. Upon leaving the Critical section, it re-initializes lock 
to 0. There is another global variable, in_critical, used to keep count of the number of processes in the 
critical section. The auto-increment (auto-decrement) of the variable is done before a process enters the 
Critical section (leaves the Critical section) . Mutual exclusion is ensured if d\ < d,2 . The timeout-based 
TTD of the i th process Pi executing Fischer's protocol is shown in Figure [2] 

4.2 TTA Startup Algorithm 

The TTA startup algorithm can be formalized using the calendar based model described above. This 
algorithm executes on a logical bus meant for safety-critical application in both automotive and aerospace 
industries. In a normal operation, N processors or nodes share a TTA bus using a TDMA schedule. The 
goal of the startup algorithm is to bring the system from the power-up state, in which the processors are 
not synchronized, to the normal operation mode in which all processors are synchronized and follow the 
same TDMA schedule. 



11 




(t = Xj)=> 

(send(i Jrame, i, (R X{X 2 })), xi:= t) 



Figure 3: Calendar-based TTD for the i th node in TTA Startup algorithm 

In TTA startup algorithm each node i € {1 . . . TV} has two unique timeout parameters, T l i lsten and 
t^ 5 , for listen and coldstart states respectively. These are defined as follows: 

listen o round , startup 

cs _ round , startup 
i ' i 

where T round represents the TDMA round duration and T ^ tartu P denotes the duration between the start 
of a TDMA cycle and the time when the slot for node i starts. If r denotes the duration of each slot 
then 

T round = T startup = ( . _ ^ 

When a node is powered-on, it performs some internal initialization, and transits to the Listen state. 
In this state it listens for the unique duration T - tsten to determine if there is a synchronous set of nodes 
communicating on the medium. The nodes which are in the Active state are already synchronized, and 
periodically transmit i-frames that carry the TDMA cycle structure. If a node in the Listen state receives 
such an i-frame, it adjusts its state to the frame contents and is thus synchronized with the set of already 
synchronous nodes. If the above does not happen, there are two possibilities. Each node listens for 
a cold-start message (cs-frame) from another node indicating the beginning of the cold-start sequence; 
cs-frames are similar to i-frames but carry a protocol state suggested by the sending node. When a node 
completes the reception of a cs-frame, it enters the Coldstart state and resets its local clock to 6 CS (that is 
the transmission duration of the cs-frame). Thus, all nodes that received the cs-frame have synchronized 
local clocks (within system tolerances, including the propagation delay). Each node that receives neither 
an i-frame nor a cs-frame during the Listen phase enters the Coldstart state on its listen timeout, resets 
its local clock to and broadcasts a cs-frame. Thus, after the transmission of the cs-frame (S cs later), 
the local clock of the sending node is also synchronized to the local clocks of the set of receiving nodes. 

Each node in the coldstart state waits for reception of another cs-frame or i-frame until its local clock 
reaches the value of its individual cold-start timeout. If it receives such a frame it synchronizes on its 
contents and enters the Active state; if not, it resets its local clock and again broadcasts a cs-frame. No 
further collision can occur at this point, because cold-start timeouts have a strict order and that is why 
no two nodes that caused a collision can collide again. The listen timeout of any node is greater than 
coldstart timeout of any node. No node which has come in the Listen state after the collision cannot 
move to the Coldstart state before the collision is resolved. For further details of startup protocol, we 
refer the reader to [StP02] . 

The calendar based TTD of the i th node is depicted in Figure |U In TTA startup al gorithm, all the 
communications are asynchronous and hence, message delivery delays, which are finite and specified by 
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the designer have to be taken into account for correct operation of the protocol. The timeouts T^ sten 
and Tj CS represent how much time a node spends in Listen state and Coldstart state respectively, if no 
external signal is received. The timeout T round denotes the time a node spends in Active state before 
sending its next massage. R4 = {1, . . . , N} \ {i} represents the set of nodes except the sender i that are 
required to receive the message in the network. We use Ai's to denote the message delivery time for the 
corresponding send events. In TTA, message delivery times for all the receivers are considered to be the 
same, and that is why we have considered a single variable Xi to represent that delay. 

5 Verification Results for Digitization 

In literature the verification problem for real-time systems assumes two descriptions of real-time behavior, 
implementation / and specification S, and poses the question whether / implements/satisfies S. The 
implementation language Ci describes systems and behavior over time while the specification language 
£5 describes the timing requirements of the system. The verification obligation involves presenting 
algorithms and/or proof rules that facilitate a formal argument that a particular implementation meets 
the requirement of a particular system under some particular assumption of semantics of computation 
and time. Assuming C and T to be mathematical models of computation and time respectively, the 
real-time verification problem parameterized by (C, T, Ci, Cs) states: does the implementation of the 
system /, given as an expression of Ci meet the specification (f> given as an expression of Cs, with respect 
to the semantical assumption (C, T), written as 

1 Kc,T) ^ 

In particular, we would consider two important instances of the real-time verification problem - one with 
an integral model of time and one with a dense model of time. In the following, we assume TTS as the 
implementation language and linear time temporal logic (LTL) as the specification formalism. 

5.1 Timed Sequences 

We shall adopt discrete trace model (using the terminology from [HMP92a, IBos99| ) as a mathematical 
model of computation. By discrete trace model one can capture the behavior of a system as an infinite 
sequence of snapshots of the global system state at certain times. We assume our time domain TIME 
has a total ordering < defined on it. We define an observation to be a pair (<7j,Tj), where <jj is a state 
and Tj € TIME. A timed state sequence r\ = (c, T) is an infinite sequence r\ : (<tq,To) — > (<7i,Ti) — > 
(c r 2,?2) — > • • • of observation^ Further, the infinite sequence Tj € T of time stamps in 77 satisfy (i) 
monotonicity: T$ < T i+ i for all i > 0, and (ii) progress: time progresses, for all T £ TIME, Tj > T for 
some i > 0. 

Now onwards, we shall work with dense-time models when TIME = R and integral-time models 
when TIME = N. A timed state sequence under dense-time model will be referred to as precisely timed 
and under integral-time model as digitally timed. 

Let us denote the set of all timed state sequences over the TIME domain as TSStime- A real-time 
property is a subset of TSStime- Every real-time system S defines a real-time property, denoted as [S], 
which is the set of all timed state sequences of S. Also, every real-time specification tj> defines a real-time 
property [</>], the set of real-time sequences that satisfy <j>. 

Now let us formulate the real-time verification problem. We say a real-time system S satisfies the 
specification </>, written as 

S \=TIME 4> 

if and only if 

[8\time — mriME 

Consider a dense-time property IIr C TSSm., a set of of timed state sequences over R. Its clock- 
independent semantics N(II K ) is the subset of digitally timed state sequences in II R , i.e., N(IIr) = 
UnnTSSn. In HMP92a], it is shown that clock-independent semantics is not very adequate for reasoning 
about dense time. As a remedy of this, another approximate semantics was introduced, which was called 
digitization. 

2 Note that any £ £ [Sp] (previously defined) essentially defines a timed state sequence. This is because, states in £ have 
implicit representation for time stamps as <ro(t), cri(t), . .., which are otherwise explicitly present in the definition of r] as 
T ,T U ... 
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The following definitions will be useful for our subsequent discussions. For any timed state sequence 
rj = (<r, T), we introduce it untime operation rj~ as its state component a. Also, rf — (er 1 ,! 11 ), for i > 0, 
denotes the timed state sequence that results from r\ by deleting the first i observations (note, 77 = rf). 

5.2 Digitization 

Given x G K and e G (0, 1], we define [x] e = [^J if £ < L^J + £ j otherwise [x] e = \x~^ Given a precisely 
timed sequence r\ = (<r, T) and e G (0, 1], we define the e- digitization [rj] e = (tr, [T 1 ],:) of rj be the digitally 
timed sequence 

(o-o s [ro]e)->(ai,[ri] 6 )->-- - , 

For any dense-time property II (a set of timed sequences over dense time) let 

P] = {Me I ?? ell and e€ (0,1]}, 

which is a digitization of II. We write [rj] instead of [{?/}]. 

We state some concepts from HMP92a . Let LT be a dense-time property. LI is closed under digitization 
iff for all rj G TSSu, rj G LT implies [77] C II. LI is closed under inverse digitization iff [77] C II implies 77 G II, 
for all rj G TSSr. Finally, LI is digitizable iff it is closed under both digitization and inverse digitization, 
i.e., 77 G II iff [77] C II for all 77 G TSSr. We state the following important result (see [HMP92a ). 

Fact 5.1 Assume a real-time system S whose dense-time semantics [S]r is closed under digitization, 
and a specification <p whose dense-time semantics 4>th is closed under inverse digitization. Then in order 
to prove S |=r <fi it suffices to check if S \=v$ cf>. 

A dense-time property LI is said to be qualitative if 77 G II implies rj' G II for all precisely timed sequences 
rj and rj' with identical state components {i.e., n~ = rj'~). 

Fact 5.2 'HMP92al Every qualitative property is digitizable. 

5.3 Digitization of Timeout and Calendar based Transition Systems 

Recall a TCTS is S = (V, S, E , L) (we drop the subscript P because we assume the ToM P is implicit) 
where V is a set of variables, £ a set of states, So C S a set of initial states and L a set of transitions. 
We would like to show that the computations for this transition system are digitizable. Our approach 
follows |Bos99j . 

A run of 5* over a timed state sequence 77 : (do, 2o)~ K^ii T±)—> ■ ■ ■ is a sequence of pairs of 5* of the 

form C : (00, ^0) — ^ (o~i, vi) ■ ■ ■ where o~i denotes the state and vi the mapping of variables in U in 
state o~i and further, it satisfies the following conditions: 

1. (initiation:) er G S and vo(t) = Tq, — 0-J / o( 7r i) = -L) t G V,7Tj G V. 

2. (consecution:) for i > 1 there is an edge (<7j_i, (Jj) G L = (L e U L + U L U T syn _ comm ) such that the 
following hold: 

• if ((To, cti) G T e then T = vq{€) < v\{t) = T\ and Vr G T. o"i(t) > Ti. 

• if (cr,_i,Oi) G L + then Tj_i = < minlcr^^T)} = i/*(t) = Ij. 

• if (cr,_i,o-i) G L then Ti_i = = = 

• if (o-j-i^i) G L sy „_ comm then Tj_i = Vi-\{t) = Vi(t) = T t . 

3. (time progress:) for any real number T there exists an i > such that Ti > T. 

We say that 77 G TS'S'time is time- consistent (for 5) if 5* has a run over it. In the sequel we consider 
only time-consistent behaviors ij G [<S]time of S, i.e., rj G [S]time iff there is run over rj. If TIME = N 
then we get integral behavior of TCTS. Now it is obvious that time at state j > 1 in a given run, is given 
by Vj(i) = Tj. We define e-digitization of the mapping i/j for any variable x G U C V as {vj{x)) = [v(x)] e . 

Given a computation £ : (00,^0) ~^ (oii^i) ~^ "■ its e-digitization is the computation [£] £ : 

((Jo, (j / o))c) (f 1, (^i))c — • • • , where (i/j) for j > 1 are defined above, and (vo(t)) e = Po] £ . 

3 where ['J and [•] are the floor and ceiling rounding operations on real numbers respectively 
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Now we need to analyze the extent to which the set of dense-time computations of a TCTS are closed 
under digitization. Suppose £ : (ao,fo) (ci,^i) ^ ■•• is a run of S over 77. For digitization, [f] 
would be a run of S over [r?] 6 . We have (v (t)) e = [T ] e . Observe if T^i = T t then [T l - 1 ] t = [Tj e . When 
Tj_i < T i; except for the case of < (Tj — Tj_i) < 1, we have [Tj_i] e < pi] 6 . So, if there is an edge 
(<7i-i, <7i) G T and (Tj = Ti-i) V (Tj > Tj_i + 1), there would be an edge «o-j_i) e , (<7i) e ) in T under [C] e . 
Also we can ensure time progress for [Q e . Hence: 

Fact 5.3 The set of dense-time computations of a TCTS are closed under digitization if and only if all 
timeout increments are at least 1 time unit. 

The result above indicates a precise characterization for the digitization for a TCTS. All timeout 
increments in (0, 1) result into a TCTS, which are not closed under digitization and therefore cannot be 
model checked for all LTL properties under discrete time dynamics. 

A similar argument can be used to show that the dense computations of a (digitizable) calendar based 
clocked transition system (CCTS) are also closed under digitization. 

5.4 Linear Temporal Logic 

Let us briefly describe prepositional linear temporal logic |Pnu77| . more popularly known as LTL. The 
vocabulary of LTL consist of a set V of atomic propositions. The formulas of LTL are built using boolean 
connectives, next operator Q and until operator U as follows: 

::= p|->0|0iA0 2 | O 01 01^02) V^V 

The other temporal operators can be introduced as abbreviations, e.g., F(f> = True U 0, G0 = ^F^0. 

The formulas of LTL can be interpreted over timed state sequences whose states are from E such 
that each state in E gives rise to an interpretation for propositions in V. Let 77 = (a, T) be a timed state 
sequence with Oi € E for i > 0. The satisfaction relation 77 |= is defined inductively as follows: 





iff 


O-Q H P: 


77 |= -n(j> 


iff 


^0; 


77 |= 0j A 02 


iff 


77 |= 01 and 77 |= 02 
77 1 h and T x > T , 


7/1=00 


iff 


7/ |= 01^02 


iff 


3i > 03a e N.77 1 |= 02, where 



Ti > Tq + a, and Vj.O <j< i.rf \= X . 

For a LTL-formula 0, let the set [4>]time — TSS^ime contain all timed state sequences 77 over the time 
domain TIME such that 77 |= 0. Thus, [0] R is the analog dense-time property for the formula 0. Note 
that for any specification expressed in LTL, [0] R is closed under inverse digitization. To see this consider 
two timed sequences 77 and 77' with identical state components. Suppose 77 |= 0, i.e., 77 e |[0]|r- Now the 
proof is by induction on the structure of 0. At the induction stage, we only consider the case = 0iW02- 
Now 77 |= 0iW02 iff for some i > 0, a € N, if \= 2 , where Tj > T + a, and 77 J (= 0i for all < j < i. 
By induction hypothesis, we have 77'* |= 2 and -q'i \= <j)i- Since, T[ > Tq, there exists some a' <E N such 
that T[ > T^ + a'. Therefore rf |= and hence 77' e [0] R . 

5.5 An Integral Verification Problem 

We conclude this section with this important observation. Given a TCTS or CCTS S, corresponding to 
a timeout-based or a calender-based model and a specification formula in LTL we may check S 
by verifying whether S \=n 0. In the next section we shall try to further simplify this problem. 

6 Clockless Modeling 

A finite state model-checker like Spin |Hol93j uses finite state automata to model the behavior of concur- 
rent processes in distributed systems. The combined execution of a system of asynchronous processes is 
described as a product of automata each of which models an individual process. The product automaton 
is finite if the number of processes, message channels, number of messages in a channel, and the range 
of values for various variables are finite in the automaton for each individual process. 



15 



Though timeout and calendar based models can be used to efficiently capture dense time semantics 
without using a continuously varying clock, it is difficult to use these models for finite state model 
checking, even though we have seen that in most of the cases the verification problem reduces to an 
integral one thanks to digitization. The difficulty arises from the fact that the value of the global clock 
t and the values of the timeout variables in T diverge and thus are not bounded by a finite domain. 
Unlike TA there is no provision of resetting the global clock or timeouts in these models, as a result of 
which the timeout and calendar based models cannot be directly used for finite state model checking. 

We propose a finitary reduction technique, which is formalized in terms of clockless modeling and 
semantics in the next section. This technique effectively reduces the timeout and calendar based tran- 
sition systems with discrete dynamics into finite state systems, which, in turn, can be expressed and 
model checked by finite state model checkers. The assumption of discrete time as the underlying model 
is particularly relevant to cases where we are left with integral verification problem exploiting digitization 
results. 

From the semantics of the timeout based systems it is clear that to implement time progress transition, 
a special process is required to increase the global clock to the minimum of timeouts, when each of the 
timeout values is strictly greater than the current value of the clock. A process Pi waits until its timeout 
is equal to global clock, and when it is so, Pi takes the discrete transition and updates its own timeout 
according to the specified updation rule. We model this special process, which is responsible for time 
progress transition in such a way that it does not explicitly use the clock variable and prevents the 
timeout variables from growing infinitely. We call this process as time -progress. 

The process timejprogress is implemented as follows. When the global clock is less than all the 
timeouts no discrete transition is possible in the system. In such a situation, time-progress finds out the 
minimum of all the timeouts in T and scales down all these timeouts in T by this amount. In this way 
at least one of the timeouts becomes zero. The guards of the processes are defined in such a way that 
the processes wait until their timeouts become zero. When it happens the process updates its timeout 
and does other necessary jobs. 

If update function always increments the timeouts by a finite value then it is guaranteed that the 
value of a timeout will always be in a finite domain. But in some cases it is possible that a timeout may 
take any value in the future. In those cases, the value of the timeout is taken as the largest possible 
value defined by the system. This approach can also be extended for the calendar based models as well. 

The discussion above is formalized in terms of "clockless" modeling as below: 

6.1 Timeout based Models: Clockless Modeling 

6.1.1 Clockless Syntax 

In order to capture the effect of finite state reduction in a timeout model, we restrict the set U and 
redefine update^ as follows: 

U = TUXUVar. 

update^ is given by the following rule: 

update^ = k\ \ k<i | oo| max(A4), 

where I — z -< k\ -<' m — z' for -<, -<'& {<, <} and fc 2 >- I — z for {>, >}; z, z' := w\0 and i,m£N are 
non negative integer constants. For any z € U let <J~(z) stand for the value of the variable z in (clockless) 
state o~ . Note that update^ is different from the update function updatei for clocked transition system 
in the sense that this one updates the timeouts in bounded domain. 

6.1.2 Clockless Semantics 

For clockless modeling of timeout based models we associate a transition system Sp = (V~, E~, Sq , r~), 
where V~ = V \ {t} is a set of variables, S~ a set of clockless states, Eq" C E~ initial clockless states 
(defined in an analogous manner as for clocked transition systems) and T" a set of clockless transitions. 
We remark that given a timeout based model, the set of states E for clocked transition system and the 
set of states E~ for clockless transition system are exactly similar modulo the assignment of the global 
clock variable t. The same is true for initial states too. Note T~ = Y~ U U Tq U r~ yn _ comm , while 
is identical to T e for clocked transitions, we shall only define Time Progress Transition rT, Timeout 
Increment Transition Tq , and Synchronous Communication Transition T~ yn _ comm by modifying the same 
for the clocked timeout transition system as defined earlier. 
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Time Progress Transition: The edges v + arc redefined such that all the timeouts are decremented by 
the minimum of the current timeout values. In particular, 



v+ = (a 



min{cr-(T)} > 

VreT: a'- (t) = a- (t) - mm{cr- (T)} 
Vz e X U Var : a'~(x) = a~(x) 
V« : er'~(7Tj) = (T~{ni) 



Timeout Increment Transition: For the edges Vq, if there is an edge in the TTD for process Pi connecting 
source location l l - to target location l l k and is labeled by the instruction p =>■ {update^ ,7, /}, then 



vi = (a , Y )er o< 



p holds in a 

If a-{n) = Othen 

o'~ (ji) = update^ > 
else o-'~(Tj) = er~(Y) 
Vy e 7 : cr'~ (y) = <r'~ (n) + a~ (y) and 
Vx € \ 7 : er'~ (a;) = o~ (x) 
VdgGUL,: ct'-(w) = f(a~(v)) and 
Vwe Var\(GUL,): ct'YY = a~(v) 
<7~(TTi) = lj and a'~(ni) = l\ 



Observe that update^ is a slight modification of updatei. If update^ = k\ s.t. Z — z -< k\ -< m — z' , 
then update^ arbitrarily selects a value S such that I — p~(z) -< <5 -< m — cr~(V)- If update~ = k 2 s.t. 
&2 >- / — 2, then update^ arbitrarily selects a value S such that <5 >- I — a~(z), else if update^ = 00, 
then it selects the largest possible constant defined by the system and returns 5. If update^ = max(M), 
update^ nondcterministically selects any integer 5 in [0,M + 1], where M is the maximum of all the 
integers in Ai. Unlike the local timing variables appearing in 7 in a (clocked) ToM, these timing variables 
incrementally capture the value of next timeout in a clockless ToM. An observant reader can see that 
the relative delay captured by these local timing variables between events are same in both those models. 

Synchronous Communication For a pair of processes P s ,P r having edges (e s ,e r ) : 

1. p holds in a~ 

2. <t'~(t s ) = updatej > o~ (r s ) 
a'~ijr) = update~ > a~(r r ) 

3. Vy e (7) : CT'-(y) = a'-(r s ) + a~(y), and 
Vy' e (Y) : °'-{y') = °'-{Tr) + cr-(y>) and 
Vx e X\ (7U7') : £7'-(a;) = a~{x) 

4. a'~{fh) = a~(m) 

5. e GUL S : a'-{v) =g(a~(v)), and 
e GUL r : (7 /_ (v) = Zi(<7 (w)) and 
e Far \(GUl r U L s ) : Y" («) = a~ (v) 

6. ct~(tt s ) = Z?,<7 _ (7T r ) 



syn_comm 



■)er 



syn_comm 



(7T S )=Z 



A: ' 



(7r r ) 



ZJ and 



6.2 Calendar based Models: Clockless Modeling 
6.2.1 Clockless Syntax 

Similar to the ToM, calendar based models can also be defined in a clockless manner. However we restrict 
the set U to, 

U = TUXU VarUC, 



where update i is defined using same rule as in the case of clockless ToM. 



6.2.2 Clockless Semantics 

Similar to the clockless ToM, we can define a transition system for clockless calendar based models. Here 
we need to modify the Time Progress, Timeout Increment, Send, and Receive Transitions as defined 
earlier for CCTS. Synchronous Communication transition is similar to the one for timeout based model 
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with clockless semantics. 



Time Progress Transition: The first kind of edges v + are redefined so that all the timeout and cal- 
endar delay entries are decremented by the minimum of all timeouts and the message delays in calendar. 
In particular, 



v + = (a , cr' ) e r + < 



1. min{cr-(T) U A(er-(C))} > 

2. VreT: (T / -(r) = c7-(r)-min{c7-(r)UA( ( T-(C))} 

3. VA g A(ct-(C)) : ct'-(A) = a-(A)-min{CT-(T)UA(c7-(C))} 

4. VxeXUVar: a'-(x) = a~(x) 

5. Mi : a'~{-Ki) = a~(wi) 



Timeout Increment Transition: For the second kind of edges i/q, if there is an edge in process Pi connecting 
source location l l - to target location l l k and is labeled by the instruction p (rj := update^ ,7, /), then 



i/j = (<r , cr' )er o< 



p holds in a 

If min{cr-(T)} = tr-(Tj) = 

then a'~{ji) = update^ > 
else <7'~(Tj) = o~{Ti) 
Vy e 7 : <r'~ (y) = cr' - (n) + a~ (y) and 
Vx € A" \ 7 : cr'~ (x) = cr - (x) 
VdgGUL,: cr'-(w) = /(ct-(u)) and 
Vwe Var \(GU L,) : a'~ (v) = a~ (v) 
<7~(TTi) = lj and a'~(ni) = l\ 



Send Transition: If there is an edge in process Pi, which connects source location l l - to target location l\ 
and is labeled by the instruction p =>■ (send(m, i, Q, A), update^ ,7, /), then we have corresponding edge 
^Lnd wm ch adds |fi| cells to the calendar array C: 

1. p holds in cr~ 

2. If min{cr-(r)} = (J' {n) = 
then cr /_ (r,) = update^ > 

else Cr'~(Ti) = Cr~(Tj) 

4. Vy £ 7 : <j'~{y) = a'~(ri) + <r~(y) and 
Vx <G A" \ 7 : cr /_ (a;) = cr~(a;) 

5. VweGUL,:(r'- (u) = /(a" (u)) and 
V-y e Var\{GULi): cr'- (v) = a~ (v) 

6. V(r,A r ) e : cr'-(C) := o-(C) + {m, i, r, A r } 

7. cr~{iTi) = I) and cr' - ^) = l{ 

Receive Transition: If there is an edge in process P r , which connects source location lj to target location 
V k and is labeled by the instruction True =>■ (receive(m, i, r), 7, /), then we have corresponding edge 
^receive which deletes the cell containing {m,i,r, A r } from the calendar array C: 



send 



(cr ,a' ) ^ < 



= (cr , cr' ) < 



3{to, z, r, A,.} e cr - (C) s.t. A r = 
a'~(r r ) = update^ > 
Vy e 7 : ct /_ (j/) = cr'^(Tj) + cr~(y) and 
\fx e X \ 7 : ct' _ (.t) = cr~(:r) 
W e GUL r : cr'-(w) = /(cr-(w)) and 
e Var \(GU L r ) : cr'" («) = cr" (v) 
cr' - (C) := cr - (C) \ {to, i, r, A r } 
cr _ (7r r ) = I j and cr' _ (7r r ) = V k 



Thus the clockless semantics defines a possible clockless computation £ of TCTS/CCTS as a sequence 
of states cr^ , cr^ , • • • . 



6.3 LTL formulas for Clockless Models 

A remark about the LTL formulas that would be verified against clockless models, is in order. These 
formulas will not involve the global timing variable t. The LTL formulas will be built using finitely many 
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atomic propositions (constraints), which may be defined in terms of state variables for which the possible 
combinations of valuations needs to be finite. 

Assuming that typical arithmetic constraints are defined in terms of variables in U (as defined before 
for clockless timeout and calender models), let us now define a point-wise or event based semantics for 
LTL formulas based on its classical semantics [CGP99] . A model for a LTL formula would consist of a 
sequence of states of the form 



such that each state cr, gives a boolean interpretation (true, false) to the propositions, and non-negative 
integer valued interpretation to the timeout variables in T, timing variables in X ', and state variables 
in Var, all of which are bounded above by some positive integer constant. In a state <7j, let us assume 
<Ji{v) to be the value of v € U. Considering an example of an arithmetic constraint as tj — tk > c, where 
tj, tk € T U X and c an integer constant, the satisfaction relation |= can be defined as 



In terms of these LTL formulas, using Clockless ToM, one can essentially verify all those qualitative 
properties of the associated real-time system, which are otherwise prohibitively difficult to do using the 
clocked ToM models and timed temporal logics. This is because clockless models preserve the qualitative 
behavior of the clocked models and LTL can effectively specify these properties. As the valuations of 
the variables in the clockless models are bounded, the clockless models effectively give rise to finite state 
behaviors. Indeed, we can also estimate the approximate size of the clockless TCTS having direct bearing 
on the time complexity of its LTL model-checking. Assume a clockless ToM with n parallel processes 
with k local timing variables. Let the valuations of timeouts and timing variables be bounded above 
by M — max(A4). Also let the sizes of the clockless TTDs of these processes are bounded by D, In 
terms of these, the size of the clockless TTS could be bounded by J- = 0(max{M™ +fc D n , |r~|}), using 
asymptotic notation. This, in turn implies that complexity of model checking such clockless TTS for a 
LTL formula <j) would be 0(T2^) |VaW86j . 

6.4 Clockless Models (Bi-) Simulate Clock Models 

In this section we will show that clockless models (bi-)simulate clock models with respect to LTL for- 
mulas. Let us consider a ToM P and its TCTS S P = (V, E, E , L) and also the clockless ToM P~ and 
corresponding timeout based clockless transition system Sp = (V - , E~, Eg , r~); both of them modeling 
the same system. Given a computation £ : cto— > ■ ■ ■ over Sp let us generate a clockless computation 
as a sequence of states , ■ ■ ■ over Sp as follows: 

• Initial states correspond: 



Co, 0i, • • • , 



l hp 

0i \= tj — tk > c 



iff 0i(p) = true 

iff <?i{tj) - 0i(*fc) ^ c 

iff <n W 

iff l h or a, \= tp 

iff <7;+i |= (j) 

iff 3k > i. Ofc |= ifi and Vj.z < j < k. aj |= ip 



CFi \= (f> V 1p 



Vr e T. O ( T ) = °"o (r), 
Vx e X. (Tq(x) = a (x), 

0'O~( 7I "i) = 0"o(7Ti) =-L ■ 



• Entry transition: if (<7o,0i) G L e then 




• Time progress transition: if (o'j_i,0'i) G L+ 



then 
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• Timeout increment transition: if (<7j_i,crj) g T e (which is labeled by the instruction p =£• (xj := 
update~ , 7 , /)) then 

1. if cr^lj^Ti) = then erf (xj) = update~ , else erf (r,) = crj(xf) 

2. Vx e T-^rC 37 ) = mm {°i-2(T)} + cr^^x), 

3. Vx e \ 7.erf(x) = o-j_i(x), 

4. Vi.CTf (7Tj) = (7j(7Ti). 

where update^ is defined in P~ . 

• Synchronous communication: if (er.j_i, erf) G r sy „_ comm then 

1. (7f (r a ) = CTi(r s ) and erf (x r ) = £7j(r r ) 

2. Vx G A\crf (x) = <7j(x) 

3. erf (m) = (Tj(m) and a~_ 1 (m) = cr.;_i(m) 

< 4. VweGUl s : erf («) = cr 'i(' l; ) and VueGUl,. : cf (u) = 
Vu € Var \ (GUL S U L r ) : erf (u) = 
5. cr i l 1 (7T s ) = cr i _ 1 (7T s )= ij,(j i l 1 (7T r ) = CTj_i(7r r )= ^ and 
crr(7r s )= crr(7T s )= Z|, erf (?!>) = CT^TTr) = ^ 



Check that a € E and a i ) G V .It is clear £ = a —^cr 1 — > ■ ■ ■ forms a clockless computation 

over Sp. We can associate a mapping Tr : E x E — > E~ parameterized by an entry transition as 
follows. Fix two states, Co <E Eo,cri € E, such that (cr ,cri) <E T e . Call 7 = (uo,<7i). Then define 
Tr 7 (cr ,cr ) = o-^,Tr 7 (£7i,tri_i) = erf, Vi > 1. 

We say that computations £ : croCi • • • in Sp and £~ : erf erf . . . in 5p correspond if and only if there 
exists Tr 7 : E x E — > E~ such that erf = Tr 7 (er ,er ) and for every i > 0, erf = Tr 7 (crj, Cj-i), where 
7 = ((Jo, oi). Let er e E and cr~ G E~ be two states and there be a computation in Sp which starts in er. 
Then it is easy to see that there exists a corresponding computation in Sp beginning with cr~ [CGP99J. 

We consider LTL formulas consisting of propositions and variables appearing in clockless transition 
system of Sp. Assume er £ E and cr~ £ E~ are two states such that Tr 7 (a, a') = <j~ for some a 1 E E 
and some entry transition 7. Then for any LTL formula <f>, er~ |= <fi implies a |= <j) (using the semantics 



of LTL formulas as discussed in Section 6.3 1. This can be proved using the induction on the structure of 
<f>. Finally, Sp |= <j> implies Sp \= <j>. This is in some sense, we can say Sp simulates Sp |CGP99| . Thus 
it is enough to verify properties on the clockless transition system Sp instead of on Sp. 

Similar results can be established for calendar-based clocked transition system (CCTS) also. In fact 
a reverse mapping cane be defined too. To see this let us assume £~ = erf , erf ... to be a clockless 
computation over S~ . Now generate a sequence of states cro, o\ . . . as follows. 

• a (t) = min{crf (T)},Vr € T.<t (t) = erf (x),Vx e X.a (x) = <Tq(x), 00(7^) = erf (71-f) =_L 



if (ct , a x ) e r e then 



if (a i _ 1 ,(T i ) G T + then 



1. Vrer.cr 1 (r)=crf(r), 

2. Vx 6 X.o\(x) = erf (x), 

3. ai(wi) = erf (7Tj) = ZJ, 

4. cr 1 (i) = crf(t)=crff(t) 

1. Vr e T.<Ti(r) = (Jz-iir), 

2. Vx G A'.erj(x) = cr.;_i(x), 

3. \/i.(Ti(lZi) = (Tf (7Tj), 

4. crj(t) = min{crj_i(T)}. 



if (er^, er,; ) G T e then 



if cr i (ri) = then (Tj(rj) = update^ else er^x,) = er i _ 1 (r :? ) 

Vx G X.diix) — CTi_i(x), 

Vi.aifa) = erf (7rf), 
er,(t) = £7-i_!(t) 
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cri(r s ) = <r l (r s ) and <7j(r r ) = cr l (r r ) 
Vie G X .Oi{x) = (x) 
CTj(m) = <7^(m) and cr,_i(m) = cr,^l 1 (m) 

Vw € G U L s : (Tj(w) = crr(v) and Vv € GU L r : Oi{v) = crT" (u) 
Vu € Far \(GUL S U L r ) : cr,(w) = crf (u) 
cr i _ 1 (7T s ) = cr j l 1 ( 7 r s ) = Zj, er i _ 1 (7r I .) = crr_ 1 ( 7 r r ) = /J and 

^(^s) = cr r( 7r s)= Z fe.°'i~K)= °"i( 71 "r)= ifc, 

o-i(f) = Oi-i(i). 

Clearly, £ : oo^ -17 !^ ' • • is a computation over S. Associate a mapping Tr : E~ — > £ with this such 
that Tr' : err i— > <jj, Vi. Let us try to compose these two mappings. Note that Tr o Tr' = id, Tr' o Tr = id 
where id is an identity mapping. This implies that Tr is a bijective mapping and (Tr) -1 = Tr'. 

Define a relation SCEx £~ as follows: for two states s € £ and s~ 6 £~ we have £>(s, s~) if and 
only if s~ = Tr(s). Assume s and s~ satisfy the same atomic propositions. Also observe that 

• for every state si G £ : (s,si) G T there exists sT g £~ : (s^jS^) G T~ such that s7 = Tr(si), 
ie., S(s _ , s^f). 

• for every state sT g S _ : (s~, sT) g there exists si G S : (s, si) G T such that si = (Tr) _1 (s^), 
i.e., B(s~ , s^). 

Hence S is a bisimulation relation between S* and S~ . Finally, we can see for this bisimulation relation £>, 
for every initial state sq G £ in S there is an initial state Sq G £~ in S~ such that cB(so, Sq). In addition, 
for every initial state Sq G £~ in S~ there is an initial state sq G E in S such that y6(so,So )■ Hence 
S and 5 _ are bisimulation equivalent [CGP99I . Since bisimulation equivalent structures preserve LTL 
formulas CGP99 we shall be dealing with clockless timeout based models for our verification purposes. 

7 Experimental Evaluation 

In this section we illustrate finite state verification of real-time systems through clockless modeling on 
three real-time protocols introduced earlier - Fisher's Mutual Exclusion Protocol, TGC, and TTA startup 
protocol. We perform finite state model checking of these protocols by Spin and SAL-smc model checkers. 
For applying our technique we assume that the timeout increments of these protocols are more than one 
time unit. We carry out our experiments on a machine with 2.26GHz Intel Core 2 Duo processor, 
3 MB shared level 2 cache and 2GB 1066MHz DDR3 SDRAM, running MAC OS X Version 10.5.7. 
For experimentation with Spin, we use XSpin graphical interface. To verify a property prop for a SAL 
specification model. sal we use the following SAL command: 

sal-smc -v 3 model prop -enable-dynamic-reorder 

Here enable-dynamic-reorder is a flag used with SAL-smc that enables dynamic reordering of BDD vari- 
ables. 

7.1 Fischer's Mutual Exclusion Protocol 

A clockless model of the Fisher's mutual exclusion protocol is depicted in Figure [4j We consider the 
following safety property for Fischer's protocol, "no more than one processor can be in the critical 
region at any time" . The property is frequently referred as mutual exclusion property. This can be 
represented in LTL as: 

D(in .critical < 1) 

To verify the safety property for Fischer's mutual exclusion protocol in Spin we used exhaustive 
verification and bitstate hashing technique available in Spin, in both the cases keeping the the option of 
partial order reduction turned on. By exhaustive verification technique, we could verify models containing 
only upto 4 nodes. Bitstate hashing enabled us to verify the same property for models with upto 6 
nodes. Table [l] illustrates the computational resources and time required to prove the safety property 
for Fischer's mutual exclusion protocol using bitstate hashing technique. 

We perform clockless modeling of Fischer's protocol in SAL language. Table [2] presents the number of 
states visited and time required to prove the mutual exclusion property. We have been able to verify 



( 1. 

2. 
3. 
4. 

11 ( cr i-u cr - i ) € r sy „ _ CO mm then < 

5. 
6. 
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injsritical := in_critical + 1} 



Figure 4: Clockless model for the i th processor in the Fischer's Protocol 



Table 1: Computational resources required for verification of the Fischer's Protocol using bitstate hashing 



Property 


N 


# States 


# States 


# Transitions 


Memory 


Time 






Stored 


Matched 




(MB) 


(sec) 




2 


563 


463 


1026 


8.501 


0.1 




3 


18220 


29625 


47845 


8.598 


0.11 


Safety 


4 


667995 


1716011 


2384003 


44.383 


5.01 




5 


21373206 


75073507 


96446713 


395.366 


203.09 




6 


36720364 


1.4129329e+08 


1.7801365e+08 


1722.014 


908.56 



Table 2: States explored and time required to verify mutual-exclusion property by SAL-smc for Fischer's 
protocol 



# Nodes 


# States 


Time 


# Nodes 


# States 


Time 




Explored 


(sec) 




Explored 


(sec) 


2 


468 


0.15 


10 


1.189cl2 


69.9 


3 


7968 


0.30 


11 


1.697cl3 


213.76 


4 


124760 


1.40 


12 


2.417cl4 


196.36 


5 


1.876c6 


2.35 


13 


3.438cl5 


2767.91 


6 


2.760c7 


3.84 


14 


4.885cl6 


21731.91 


7 


4.010c8 


12.43 


15 


6.935cl7 


4516.85 


8 


5.786c9 


23.04 


16 


9.839cl8 


10376.53 


9 


8.306cl0 


44.604 


17 







22 



(*=<>)=> 
(ch.'exit, x, := k I k > 0) 




(x t = 0)=> {ch! approach, 
(x t :=kl20<k<50), x> 



(T t =0)=> <T t :=kl0<k<50-x> 
Train 



True=> 
{ch?exit, T c :=kl0<k< 10) 

0= 



True=> {ch ? approach, 
t c :=kl0<k< 10) 




Co 

-►V J<- 




Cl 



(t c = 0)=> (ch]!raise,x c := oo) (x c = 0)=> (chi!lower,z c := oo) 

Controller 



True=> {cht?lower, t g := k I 0< k < 10) 




True=>( chu 'raise, t g := k I 10< k < 20) 
Gate 



Figure 5: Clockless model for Train-Gate Controller 

the mutual exclusion property for Fischer's protocol with 16 processors in around 3 hours (except the 
model for 14 nodes, which took around 6 hours). We tried to verify the protocol for 17 and 18 nodes, 
and in both the cases, verification ran for more than 7 hours. We did not go for higher number of nodes. 

The Fisher's protocol has been verified under dense time for the same mutual exclusion property 
in |DuS04a) . A direct attempt to prove the property by ^-induction with induction depth up to 15 fails 
for even 2 processors. However, using a sequence of lemmas it was possible to prove the property by 
induction at depth 1 for upto 13 processors for the same SAL specification (Table 3.1 of [DuS04a ). The 
property was also proved by induction by a sequence of lemmas for a different SAL specification for a 
maximum number of 53 processors (Table 3.5 of DuS04a ). 

To compare the performance and scalability of our verification approach with UPPAAL, we verified 
Fischer's mutual exclusion protocol available with UPPAAL distribution. The UPPAAL model is based 
on the framework of timed automaton. The mutual exclusion property could be verified successfully 
for up to 12 nodes. For 13 nodes, the verification process did not stop even in 7 hours. In verification 
with UPPAAL, the TA is reduced to the zone automata which are finite representations of infinite 
state systems. Although both our clockless verification scheme and UPPAAL's zone automata based 
verification are based on abstracting an infinite system to a finite one, this experimental result shows 
that our technique is more scalable than UPPAAL, while using SAL-smc model checker. 



23 



Table 3: Computational resources and time required for verification of the Train-Gate Controller under 
exhaustive verification 



Properties 


ff States 


# States 


# Transitions 


Memory 


Time 




Stored 


Matched 




(MB) 


(sec) 


Safety 


246236 


422596 


668832 


47.947 


1.50 


Timeliness 


253500 


415484 


668984 


50.389 


1.58 



Table 4: States explored and time required to verify safety and timeliness properties by SAL-smc for 
TGC 



Properties 


jf States 


Time 




Explored 


(sec) 


Safety 


1.123c6 


5.24 


Timeliness 


4.807e5 


2.41 



7.2 Train-Gate Controller 

A clockless model of TGC is depicted in Figures [3jFor the TGC example as discussed before, we consider 
safety and timeliness properties for verification. The safety property says: When the Train crosses 
the line, the Gate should be down. The property is expressed in LTL as: 

\3((t state = t 2 ) {g state = g 2 )) 

where, t state denotes different states of the Train, and it is t%, when it comes into the crossing, g state 
denotes different states of Gate, and is g 2 , when the Gate is down. 

Timeliness property, in general ensures that the time between two states will by bounded by a 
particular value. We can find many timeliness properties in this example. We select an important 
one, "the time between the transmission of the approach signal by the Train and when the Gate is down 
should not be more than 20 time units". To verify this property we use two auxiliary flags, flagi and 
flag 2 in our model. When the first event occurs flagi is set as true. When the second event happens, 
flagi is set as true and flag\ is reset to false. 

A global variable time-diff initially set to 0, captures the time between the instants when two flags are 
set. During every discrete transition between the two discrete transitions of interest, minimum timeout 
value is added to time-diff. The timeliness property is then specified as follows, "the value of time-diff 
never goes above 20". This is expressed in LTL as, 

a(time.diff < 20) 

In Table [3j we illustrates computational resources and time required to prove the safety and the 
timeliness properties for TGC by Spin model checker. Both the properties have been proved by 
exhaustive verification keeping the the option of partial order reduction turned on. 

We verify the safety and timeliness properties for TGC by SAL-smc, and the result is shown in 
Table H 

It may be noted that dense time verification of the safety property for TGC took 46.15 sec- 
onds DuS04a]. This was proved by k-induction at depth 14 using SAL-inf-bmc. 

7.3 TTA Startup Algorithm 

Figure [6] depicts the clockless model for the TTA startup algorithm as discussed before in the Section [4~2| 
We consider the following safety property, "whenever any two nodes are in their active state the nodes 
agree on the slot time". For two nodes participating in the startup process, the corresponding LTL 
property is given below: 

□ (Ox Ap 2 ) A(?i Aq 2 ) =>■ 0(rAs)), 

where pi = (pc[0] = state-active), p 2 = (pc[l] = state-active), qi = (time-out[0] > 0), q 2 = (time-Out[l] > 
0), r = (time-out[0] — time-Out[l]) , s = (slot[0] = slot[l]). Also, pc[i] denotes the current state of the 
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eci=o)=> 

(Xi = Q)=> (I; •= x, 1 ^" > (send(os Jrame, i, (R X {X, })), 

v=0 




(Ti=0)=> 

(sendft Jrame, i, (R X{Aa})), Tj := "U ,mmd ) 



Figure 6: Clockless model for the i th processor in TTA Startup algorithm. 

i th node, time-Out[i] denotes the timeout of the i th node, and slot[i] denotes the current time slot viewed 
by the i th node, state-active characterizes the synchronized state of a node. 

The safety property ensures that when the nodes are in active state, then they are indeed synchro- 
nized. But it does not address the question whether all the nodes will be eventually synchronized or not. 
To ensure that this happens, it is specified in the form of the following liveness property, "eventually 
all the nodes will be in active state and continue to do so". This liveness property for two nodes can 
be specified in LTL as follows: 

0D((pc[0] = state-active) A (pc[l] = state -active)) 

To verify the safety and the liveness property for TTA startup in Spin, we use both exhaustive 
verification and bitstate hashing techniques with partial order reduction availed. By exhaustive verifica- 
tion technique, the safety property can be verified for TTA models containing upto 5 nodes, and the 
liveness property can be verified upto 4 nodes. Bitstate hashing enables us to verify both the properties 
for models with upto 9 nodes. For 10 nodes, the verification does not terminate even in 4 hours. Table [5] 
illustrates the computational resources and time required to prove the safety and liveness properties 
for TTA Startup protocol using bitstate hashing technique. 

In Table [6] we describe the number of states and time required to prove the safety and liveness 
properties for the TTA Startup protocol using SAL-smc. We have been able to verify both safety 
and liveness properties for TTA startup protocol for upto 8 nodes in around 1 hour. Let us contrast 
our verification effort with the dense time modeling and verification of the same protocol reported 
in |DuS04at IDuS04b] . Using bounded model checking the same safety property was proved for only 
2 nodes by fc-induction at depth 8, that too using 3 auxiliary lemmas (the proof failed for 3 nodes). 
However, the invariant can be strengthened by constructing an abstraction of the transition systems 
using a verification diagram-based approach RusOO , and subsequently the property was verified for 
upto 10 nodes. 



8 Extension of Timeout and Calendar based Models 

In this section we extend our model to incorporate other modeling concepts like inter-process scheduling, 
priorities and interrupts, and urgent and committed locations. These extensions will be illustrated using 
ToM as a base model, however they can be easily adapted for calendar based ToM also. Also note 
that the digitization result presented in Section 5J3 and the finitary reduction and associated clockless 
modeling proposed in Section [6] are applicable to these extended models as well because the additional 
components defined in these (extended) models are independent of the variables present in the base 
model and therefore, do not affect the underlying semantics of the base model. 
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Table 5: Computational resources and time required to verify safety and liveness property by bitstate 
hashing technique in Spin for TTA Startup 



Properties 


N 


# States 


# States 


# Transitions 


Memory 


Time 






Stored 


Matched 




(MB)' 


(sec) 




2 


487 


143 


630 


8.501 


0.01 




3 


6142 


6490 


12632 


8.501 


0.05 




4 


217852 


483497 


701349 


8.501 


1.46 | 




5 


4126813 


13188075 


17314888 


8.501 


34.72 


Safety 


6 


16508262 


62593403 


79101665 


8.501 


165.46 




7 


34442659 


1.2702415e+08 


1.6146681e+08 


8.501 


364.99 




8 


40175448 


2.4473144e+08 


2.8490689e+08 


8.598 


665.63 




9 


41008029 


1.2976237c+09 


1.3386317c+09 


8.598 


4390.17 




2 


725 


1036 


2481 


8.501 


0.04 




3 


8305 


21980 


38562 


8.501 


0.12 




4 


249439 


1149753 


1648373 


8.501 


3.75 j 




5 


4339737 


28293352 


36972211 


8.501 


83.32 


Liveness 


6 


12678951 


1.1096373c+08 


1.3851011e+08 


8.501 


314.08 




7 


20128894 


2.0273546e+08 


2.4108713e+08 


8.501 


531.80 




8 


25361336 


3.4848047e+08 


3.8927174e+08 


8.598 


936.05 




9 


40305514 


2.307274c+09 


2.3482827e+09 


8.598 


7039.02 



Table 6: Computational resources required to verify safety and liveness property by SAL-smc for the 
TTA Startup 



# Nodes 


# States 


Time (Safety 
Property) (sec) 


Time (Liveness 
Property) (sec) 


2 


68 


0.34 


1.18 


3 


485 


0.63 


3.28 


4 


5297 


2.75 


10.56 


5 


76345 


13.11 


48.31 


6 


1331650 


77.23 


563.82 


7 


26872795 


4044.31 


742.90 


8 


615902175 


3440.63 


3101.26 
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8.1 Modeling Inter-Process Scheduling 

So far, we have considered models capturing true parallelism with non-determinism. However, in some 
cases the ability of a system to meet real-time constraints crucially depends on the number of processors 
that are available and also, on the process scheduling algorithm. Thus, we need to distinguish between 
the models of multiprocessing and multiprogramming. We show how ToM can be extended to include 
fixed number of programs that are executed by time sharing, on a single processor. Subsequently we use 
our framework to model priorities and interrupts for a general distributed multiprogramming system. 
These are motivated by the framework of multiprogramming system introduced in IHMP92b] . 
A Multiprogramming Timeout based Model (MToM) P has the form 

W[(Pn|||...|||Pi il )||(P 2 i|||...|||P 2 i 2 )||...||(P m i|||...|||P^ m )] ! 

where each process Pn . . . Pu i , 1 < i < m is a sequential non-deterministic process as we have seen before. 
By P Q |||P^ we mean processes P a and Pp share a single processor and are executed on one transition at a 
time according to some scheduling policy. Thus there are m groups of processes in the above MToM such 
that all the processes in a group share the same processor, e.g., the processes Pn . . . Puj would execute 
on the first processor. Processes in different groups running on different processors execute concurrently 
as in the case of ToM defined in Section |3.1.1| A special case of synchronous communication needs 
special care because both the processes need to be simultaneously active: If process pj and Pvy have a 
synchronous communication, these processes must be executing on different processors, that is, i ^= i' . 

For example, [(Pii|||Pi2|||Pi3)||(P2i|||P22)] is the model of a system with five processes running on 
two processors. The first three processes share the first processor and next two the second processor. A 
synchronous communication can take place between two processes only when these processes belong to 
different groups. 

A timed transition system Sp = (V,S,S ,r) can be associated with an MToM also. The key 
difference now is that V contains additional processor control variables fJ-i,... ,(J> m , such that fii ranges 
over {1, . . .,k,±}, i.e., V = UU {pL\, 7Tu, . . . , -Km} U {fJ-2, ^21, ■ ■ ■ ,7r 2 / 2 }U . . . U {n m ,Tr m x, . . . ,7r m ; m }. The 
processor control variables assume the value _L before the processor starts executing the processes in 
a group. Thereafter, the control of the process Pj W resides at the location ir^ i executing on the i th 
processor. In other terms, only the process P^ is active on the i th processor, while all other processes 
PijiJ 7^ Mi are suspended. When the execution of the process Pi fli is suspended as per the scheduling 
policy, in future it can only resume at the last suspended location . 

For simplicity, we will next consider the case of a single processor, that is m = 1 and will drop the 
subscript 1 in the notations e.g., /x would stand for fix and iTj for itij. Let us now discuss some of 
the transitions that would additionally occur in this framework. For example, T will contain a set of 
scheduling transitions, T sc h- 

A scheduling policy determines the set of scheduling transitions. We consider only scheduling policies 
with a single entry transition, that is enabled on all states. The entry transition is assumed to be enabled 
on the initial states, and activates non-deterministically one of the competing processes. A very popular 
and simple scheduling policy is based on greedy scheduling. According to which, a process, currently 
in the control of the processor, continues to remain active until all its transition are disabled, when 
an arbitrary (other) process with an enabled transition takes over. More flexible scheduling strategies 
can be implemented by incorporating explicit scheduling instruction resume(s), where s C {l,...,n} 
determines a subset of processes. The scheduling operation resume(s) suspends the currently active 
process, Pi and activates, nondeterministically, one of the processes Pj, with j e s. A scheduling edge 
in the process Pi will be represented as: 

i p ^(resume(s) ,[l,m}) j 

Where [Z,m], I < m specifies (optional) delay which the scheduling operation may take between I and m 
time units. Such an edge introduces an additional transition in T, and grouped in T sc h as follows: 



Vsch = (cr, a) e T sch < 



1. p holds in a 

2. a'{t)=a{t) + 8 

3. VyeV\{ f i,TT i }:a>(y) = <T(y) 

4. cr(ju) = i and <r'(/x) € s 

5. a(iri) = lj and cr'fa) = l\ 



Where 5 is a randomly selected constant such that I < 5 < m. To add, a suspend(i, j) operation, which 
suspends a process Pj and activates process Pj, can also be defined as resume{{\ < j < m \ i ^ j}), that 
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is, the instruction suspendii , j) delegates the control from the currently active process Pi to the process 
Pj. In practice, processes Pi and Pj could have some operational relationship with each other, e.g., Pi 
is the parent process, which spawns Pj as its its child process, goes into waiting state and activates Pj. 
On termination Pj may hand over the control back to Pi using the operation resume({i}) . 



8.2 Modeling Priorities and Interrupts 

We will next discuss how interrupts can be handled by way of introducing static priorities with global 
preemption semantics. Priorities will be represented using non negative integers and will be assigned 
to every transition such that lower value would be interpreted as higher priority. During execution a 
transition with the highest priority at any time point is selected and current process would be suspended if 
the ready process having the transition with the highest priority happens not to be the current process. A 
Multiprogramming Timeout based Model (MToM) P with priority is one in which a priority is associated 
with every transition in the timed transition systems for P. Using priorities it is possible to design a 
simple, static scheduling strategy without resorting to explicitly constructing a scheduler. 

As an example, in a ToM, an extended timeout edge e : (lj,p e {t% ■= update^,"/, /, p e ) in the 
graph of the process Pi would be represented as 



A-' 



where an additional parameter p e 6 N is the priority associated with the transition e. All other edges 
e.g., synchronous communication and asynchronous communication would be extended similarly. 

Accordingly, we extend the semantics also. For the prioritized timeout edges, a transition with the 
highest priority is allowed by adding it in Tq in the following way. 



Prioritized Timeout Increment Transition: Collect all those extended timeout edges e for which corre- 
sponding transitions are enabled in the current state cr, that is, p e holds in a. Let En a be the set of 
these enabled edges. Now select those timeout edges eh € En a , which have the highest priority, i.e., 
Ve' € -En CT .ph < p e '- Add transition Vh = (cr, a') in Tq such that: 



v h = (cr, cr') er « 



Ph holds in cr 

Cr'(i) = Cr(t) 

If a{Ti) =a(t) 

then er'(Tj) = update^ > cr(rj) 
else a'(n) = cr(r») 
Vy e 7 : cr'(y) = a e (t) and 
\fx G X \ 7 : cr'(x) = cr(ir) 
Vu e G U Li : cr» = f (a{v)) and 
Vu € Var \ (G U Li) : a'(v) = a{v) 
cr(ni) — lj and cr'^i) = l\ 
cr'(n) = i 



If there are multiple enabled edges with the same highest priority, their corresponding transitions are 
non deterministically interleaved. 

The remaining all other transitions can also be extended similarly. Under such extended syntax and 
semantics, an interrupt can be modeled as an edge having relatively high priority than other enabled 
transitions: 

e ln t ■ {lj,True =$> (r 4 := update^ f,p int ),l l k ) 

where updatei specifies the delay in interrupt processing and / specifies the steps in interrupt processing. 
Note pi n t is such that Vcr g S.Ve G -Erv-Pint < Pe- 



8.3 Modeling Urgent Location and Committed Location 

In UPPAAL there are three different types of locations: normal locations, urgent locations and committed 
locations BD L04j . In a normal location time can progress, but in urgent and committed locations time 
is not allowed to proceed. Moreover, there is a subtle difference between urgent and committed locations. 
Urgent locations can be interleaved with the normal locations, but a committed location has to be followed 
by its immediate successor. The requirement of considering a location to be urgent or committed arises 
out of the nature of the application being modeled in UPPAAL. For example, committed locations are 
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used to model atomic behaviors in multi-way synchronizations and atomic broadcasting in real-time 
systems |BGK02j . 

In timeout and calendar based models, we model an urgent or a committed location in the following 
way. For all the incoming edges to the the urgent or committed location in process Pj, updatei is set to 
current time t, and in case of clockless modeling update^ is set to 0. 

If a process in a system has a committed location, we introduce a boolean variable committed _] 'lag 
in the set of global variables G. For all the incoming edges to a committed location, committed-flag is 
set to 1 (part of /) and for incoming edges to a non-committed state one is not allowed to set the flag 
to 1. The guard p for a transition following a committed location is always True and committed-flag is 
reset during this transition. For all the transitions except those following the committed locations, the 
existing guard p is replaced by p A (committed-flag ^ 1). This will not allow any other process to take 
a discrete transition when a process is in a committed state. 

9 Conclusion and Further Work 

In this work we have considered the well-known problem of real-time verification with dense time dy- 
namics using timeout and calendar based models and proposed a technique to simplify this to a finite 
state verification problem. Towards this, we define a specification formalism for these models as timeout 
transition diagrams with associated transition system semantics. Next, we proposed a two-step reduction 
technique for rendering these models amenable to finite state verification under discrete dynamics. Our 
experimental results bring out the advantages gained by this technique over infinite state modeling and 
verification. Experiments on Fisher's protocol and TTA startup protocol highlight that the verification 
technique scales reasonably well. Further, liveness properties can be verified in this framework, which 
is beyond the capability of infinite state verification. Though in [DuS04a , it has been reported that 
verification of Fischer's protocol can be scaled up to 53 nodes, the verification process involved find- 
ing out auxiliary lemmas manually, which is a non-trivial process. On the other hand our finite state 
verification, though could not be scaled to this extent, is nonetheless simple and straight-forward. The 
verification effort involves only modeling the protocols faithfully. SAL offers a number of tools for finite 
state verification, for example, SAL-sim, SAL-path-finder and SAL-deadlock-checker, which help quite a lot 
in the verification process. Such tool support is yet not available for infinite state verification. Moreover, 
one can use any finite state verification engine of choice using our framework. 

We limited our attention to the qualitative temporal properties that exclusively corresponds to LTL 
formulas. However, the proposed reduction technique is amenable to any specification logic which is 
closed under inverse digitization including branching time temporal logics CTL or CTL*. 

The effectiveness of the proposed finitary reduction technique can be further scaled up by integrating 
it with additional abstraction techniques to verify parametric systems, with arbitrary but finite number 
of identical processes. Sa'idi and Lesens |LeS97j presented an algorithm for automatically constructing 
abstraction for such systems to verify safety properties. The (0,1, oo) counter abstraction method 
proposed in |PXZ02j deals with the verification of liveness properties by abstracting a parameterized 
system of unbounded size into a finite-state system. The proposed formalism can be further optimized by 
considering timeouts as shared variables among processes, so that timeout updation rules could specify 
new timeout values based upon those of other processes in the system. This optimization would increase 
the level of synchronization between component processes and would hopefully scale up the models. 

In the larger perspective it can be said that for most of the timeout and calendar based models (i.e., 
for which timeout updates are not restricted to (0, l)-interval) verification of LTL properties with dense 
time dynamics reduces to finite state modeling and verification of the same properties. In industrial 
designs, this could offer a significant advantage as it is easier for practitioners to use finite state model 
checkers to model and verify timed systems. 

Decidability and complexity theoretic aspects of the reachability analysis on these models is an im- 
portant research direction for further investigation. A comparison of expressiveness of ToM (or calender 
based ToM) with other known formal models of real-time systems including Timed Automata [Alu99J, 
Timed Petri Nets | Jia98| . and Timed Process Algebras [BeJ91] would shed light on the comparative 
strength of these models for practical purposes. For example, these comparisons could reveal other prop- 
erties desirable of a modeling framework including compositionality, robustness against clock drifts, and 
may demonstrate the difficulty of modeling timeout models using these models as compared to ToM. 

Acknowledgment Indranil Saha and Suman Roy did most of this work when they were with HTS 
Research, Bangalore. 
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